From 0b2ef8216d47a02aacb734e9ce25398469b8be64 Mon Sep 17 00:00:00 2001 From: Nico Schottelius Date: Wed, 26 Jan 2022 17:27:47 +0100 Subject: [PATCH] [openwrt] begin to add default firewall --- openwrt/openwrt-default-firewall.sh | 49 +++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 openwrt/openwrt-default-firewall.sh diff --git a/openwrt/openwrt-default-firewall.sh b/openwrt/openwrt-default-firewall.sh new file mode 100644 index 0000000..fe6badf --- /dev/null +++ b/openwrt/openwrt-default-firewall.sh @@ -0,0 +1,49 @@ +#!/bin/sh +# 2022-01-21, Nico Schottelius + +# Firewall configuration +if ! uci show firewall | grep "name='Allow-SSH'"; then +uci add firewall rule +uci set firewall.@rule[-1].name='Allow-SSH' +uci set firewall.@rule[-1].src='wan' +uci set firewall.@rule[-1].dest='lan' +uci set firewall.@rule[-1].proto='tcp' +uci set firewall.@rule[-1].dest_port='22' +uci set firewall.@rule[-1].target='ACCEPT' +fi + +if ! uci show firewall | grep "name='Allow-HTTPS'"; then +uci add firewall rule +uci set firewall.@rule[-1].name='Allow-HTTPS' +uci set firewall.@rule[-1].src='wan' +uci set firewall.@rule[-1].dest='lan' +uci set firewall.@rule[-1].proto='tcp' +uci set firewall.@rule[-1].dest_port='443' +uci set firewall.@rule[-1].target='ACCEPT' +fi + +if ! uci show firewall | grep "name='Allow-HTTP'"; then +uci add firewall rule +uci set firewall.@rule[-1].name='Allow-HTTP' +uci set firewall.@rule[-1].src='wan' +uci set firewall.@rule[-1].dest='lan' +uci set firewall.@rule[-1].proto='tcp' +uci set firewall.@rule[-1].dest_port='80' +uci set firewall.@rule[-1].target='ACCEPT' +fi + +if ! uci show firewall | grep "name='Allow-Remote-SSH-Access'"; then +uci add firewall rule +uci set firewall.@rule[-1].name='Allow-Remote-SSH-Access' +uci set firewall.@rule[-1].src='wan' +uci set firewall.@rule[-1].proto='tcp' +uci set firewall.@rule[-1].dest_port='22' +uci set firewall.@rule[-1].enabled='0' +uci set firewall.@rule[-1].target='ACCEPT' +fi + + +# Add interfaces to the right network zone +uci set firewall.@zone[1].network='wan wan6 wg0' + +uci commit